redhat: Build IMA CA certificate into the Fedora kernel (!3160) · Merge requests · cki-project / kernel-ark

Coiby Xu requested to merge coxu/kernel-ark:ima_keys into os-build May 24, 2024

Since Fedora 37, package files have been signed with IMA signatures [1]. This patch builds the Fedora IMA CA certificate fedoraimaca.x509[2] into the .builtin_trusted_keys keyring. With a proper IMA policy applied, the kernel can provide system-wide integrity protection. With Secure Boot enabled, the trust can be extended to the user space.

Note the Fedora IMA code signing certs are inside /etc/keys/ima after installing fedora-gpg-keys.

[1] https://fedoraproject.org/wiki/Changes/Signed_RPM_Contents [2] https://src.fedoraproject.org/rpms/fedora-repos/blob/rawhide/f/fedora-ima-ca.der

Signed-off-by: Coiby Xu coxu@redhat.com

redhat: Build IMA CA certificate into the Fedora kernel

Merge request reports